Nobody forgets to focus on SEO. Until they get hacked and the rankings go away.

Shouldn’t improving web security be a part of your SEO effort?

Even if your site is not hacked, the constant attacks from site hackers can prevent GoogleBot from adequately accessing your site by causing your web server to slow down (throttle) your web traffic and even stop showing web pages to Google.

Ever see strange 404 errors in the Google Search Console for pages that aren’t missing? Google tried crawling existing pages but your server said they were missing. That kind of error can be caused by attacks from website scrapers and hackers.

This is an example of how web security directly affects SEO. A focus on security could mitigate those attacks and help your SEO by allowing Google to adequately crawl your web pages.

Hacks are Related to SEO

According to a study by GoDaddy, 73.9% of hacked sites are hacked for SEO purposes. Hackers add links to a website, add new web pages and can even start showing a different site altogether just to Google.

The reason behind a majority of hacking events have SEO as a reason.

The impact to a publisher’s SEO can be devastating because rankings can slip and the site can become blacklisted. According to GoDaddy’s study:

“Search engine optimization (SEO) spam chases away customers and increases the risk of blacklisting. As the chart shows, it’s a favorite among hackers because they use it to redirect website visitors to malicious sites.”

Web Security Monitoring

The consequences of ignoring this problem are severe. Yet only 50% of publishers monitor for potential hacking events.

GoDaddy’s analysis of over 65,000 websites revealed that only 6,500 were banned by search engines. First, relying on Google to notify you if you’re banned is a bad way to do business. Secondly, GoDaddy’s research shows that only 10% of infected sites were banned.

That means the other 90% were hanging out there in an infected state, possibly without notification from Google. Yet the impact to rankings could still affect a website. The addition of spam pages and spam links to a website can only have a negative outcome.

Being a Leader is about Being Proactive

About 13 years ago when I lived in San Francisco, I had lunch with a Yahoo executive and a top programmer at Yahoo’s headquarters in California.

At the time it was possible to do a search on virtually anything and every once in awhile click on a search result that resulted in a virus download. It didn’t happen often, but it happened more often than it does today.

So during lunch I suggested it might be a good idea to scan for that and not show virus infected webpages to users. The Yahoo programmer said that it was not Yahoo’s responsibility to be the antivirus software for the Internet.

He insisted that it was their job to be a search engine and that it was the user’s burden to purchase an antivirus software. It was a reasonable argument against scanning search results for viruses.

About four or five months later, Google started blocking virus laden websites. Yahoo soon followed Google’s lead.

The point of that anecdote is that we sometimes become locked into a perception of what SEO is and can overlook what SEO can be.

Web security is the component that is the missing from SEO as a strategy. When was the last time web security was discussed in the context of a site audit or SEO planning?

WordPress Plugins & Web Security

There are businesses whose SEO model is to purchase WordPress plugins from the plugin author. The purpose is to update the code to make the plugin add hidden links to websites under the control of the new owner.

Review each plugin and script that you use. Google the name of the plugin to check if it has a history of being hacked.

Go to Google with a list of your plugins and search for:

Name of plugin + hacked

Name of plugin + bugs

Don’t Make Google Your Antivirus

According to GoDaddy’s research, only 50 percent of surveyed businesses indicated they used a monitoring system for security protection.

These plugins monitor and scan for potential hacking events and also have firewall features that block hackers temporarily or permanently. They can also block the IP addresses of visitors that are behaving suspiciously.

A third useful WordPress plugin is the Two Factor Authentication plugin by the authors of the UpDraftPlus WordPress backup plugin. The plugin works with both Authy and Google Authenticator, and other popular two factor authentication systems.

Lastly, there are services that monitor your content for SEO purposes but can also provide an extra layer of protection. Thus, if a plugin goes rogue and starts doing something it’s not supposed to, you will be notified. If an attacker is adding links to your website, the monitoring software can alert you to that.

One such service is called ContentKing, a real-time SEO auditing and content tracking solution. It is so comprehensive, that users of its service would have known something went horribly wrong in early 2018 when an SEO plugin that started adding thousands of rogue webpages after it routinely updated.

ContentKing’s website explains how their service would have alerted WordPress users of the SEO Plugin Bug because once the SEO plugin started adding rogue web pages, ContentKing customers would have been alerted to a sudden increase in website size.

According to Steven Van Vessum of ContentKing:

“We do keep track of all newly added pages. You’d see soon enough if a ton of pages with strange URLs were added by someone else than yourself. Checking newly added pages only takes you 10 seconds so it’s easy to make that part of your morning routine.”

As for rogue links added to existing web pages:

“If the links were added to the HTML, so no fancy JS links etc., then we’d definitely pick up on the links and you’d be able to find them in ContentKing.”

Whose Responsibility is Web Security?

Web security affects everyone. So everyone should have a say about what’s going to be done about it, whether it’s someone in IT or the head of your SEO doesn’t matter.

What matters is that someone is making sure that a proactive anti-hacking strategy is in place and that the strategy be reviewed and kept updated.